Fix the latest WordPress hack

Here’s the solution for tackling it, for the moment, until the attack adapts. Log into your MySQL database (most hosts have this via PHPmyAdmin) and execute this query:

SELECT * FROM `csp891_options` where option_name like ‘rss%’ ORDER BY `csp891_options`.`option_name` ASC

You should see only a few entries unless you use syndication software like SimplePie. What you’re looking for is an entry that starts with rss_ and then some random numbers. The text of the entry is encoded javascript, which looks like this:

Delete this entry. It should be safe to do so (back up your WordPress first).

Keep an eye on your MySQL database as well for this entry to reoccur since no one is sure how this hack is happening, just that it is.

UPDATE 4/9:

This hack is recurring almost daily. I’m not sure what the entry point is. That said, I have two suspicions I’m testing right now. The first is a note from reader Ivan Walsh who said that I’m getting some bizarre images in my image loader on the front page of the blog. That image stuff is controlled by TimThumb via this theme, so I patched TimThumb manually from their SVN repository to the latest version 1.12. We’ll see if that makes a difference there.

The second update I made is based on a hunch from the database hack itself – it’s inserting as an RSS option. Here’s the thing, which users of FeedWordpress know but not necessarily everyone else – WordPress ships with a version of Magpie. An old, out of date, broken version. If you grab the FeedWordpress plugin from the Codex and follow JUST the Magpie upgrade install, this should get those two files, rss.php and rss-functions.php, up to date. Again, we’ll see if this makes a difference.

For those other folks getting hacked – are you using TimThumb? Have you patched rss.php and rss-functions.php? Any more success or failure?

UPDATE 4/12:

Neither updating TimThumb nor Magpie made a difference. The hacked string showed up in the database not an hour after. So, now using some .htaccess mojo to lock down wp-admin. We’ll see if this works.

UPDATE 4/12:

After slapping .htaccess on wp-admin, the hack is still re-occurring. The plot thickens.

UPDATE 4/13:

Cautious optimism. Here’s what I’ve done in the last 24 hours since I received a warning via Google’s Webmaster tools that my site has been pulled from their index for cloaking.

Installed the Secure WordPress plugin and turned all options on.

Renamed all database table prefixes (which was fairly unpleasant to do by hand)

So far, I’m cautiously optimistic – the RSS data entry has not reappeared yet, and it’s been nearly instantaneous in the past.

UPDATE 4/14:

So far, the hack has not re-occurred. Also, Matt from WordPress has come out with an official statement saying that this is a server-level hack, which means that you need to strictly enforce permissions and set wp-config.php to 640 as well as tighten down any other file-based permissions. That makes total sense as the database information is encoded in wp-config.php, so make sure that’s locked down.

So, the recipe for the time being seems to be to lock down permissions using some of the many security plugins out there, tighten down wp-options.php, clean up your database using MySQL’s tools (or phpMyAdmin, depending on your host), and keep an eye on things. If your site runs clean, then make sure that you log into Google’s Webmaster Tools and submit your site for reinclusion in Google’s index. If you kept confidential customer information on your web site, you MUST assume it has been compromised and notify customers as appropriate.

I’ll add this last bit in: I have absolutely no capacity to offer any kind of help, unfortunately, to folks who have had this happen to them. That said, my assistant, Chel Wolverton, is able to help you out with this if you can’t do it yourself.

Did you enjoy this blog post? If so, please subscribe right now!

Get this and other great articles from the source at www.ChristopherSPenn.com! Want to take your conference or event to the next level? Book me to speak and get the same quality information on stage as you do on this blog.

It´s great to get wind of this #wordpress security issue by reading your blog by sheer (&delightful) chance, however I´m suprised that @wordpress on Twitter doesn´t talk about this. Even internet brands need to step outside their comfort zone boltholes to communicate widely. (I´m sure I´ll now get spanked that it was published in some bug what not IRC channel or whatever obscure geek backwater…)

http://paulgailey.com/ Paul Gailey

It´s great to get wind of this #wordpress security issue by reading your blog by sheer (&delightful) chance, however I´m suprised that @wordpress on Twitter doesn´t talk about this. Even internet brands need to step outside their comfort zone boltholes to communicate widely. (I´m sure I´ll now get spanked that it was published in some bug what not IRC channel or whatever obscure geek backwater…)

Just a quick thing that may be worth noting – if you copy and paste the SQL code from this page, it won't work because of WordPress converting the quotation marks to smart quotes.

http://www.zone38.net/ codeman38

Just a quick thing that may be worth noting – if you copy and paste the SQL code from this page, it won't work because of WordPress converting the quotation marks to smart quotes.

mwaterous

@author,

I'm not a security expert, but it might be worthwhile to download a copy of your WP installation, install a clean copy and then run a diff against both to look for injected code or files that shouldn't be there. You could probably use software like WinMerge if you're on MS locally.

@Paul,

This is because they're looking into it. The code of conduct for WordPress is that hacks and security breaches are to be reported to [email protected], as per this FAQ. Until it is a) confirmed that it is a WordPress security breach and not just a lack of security on the host, and b) a fix is found they prefer not to advertise it and basically invite all the script kiddiez in the realm to try their hand at it.

mwaterous

@author,

I'm not a security expert, but it might be worthwhile to download a copy of your WP installation, install a clean copy and then run a diff against both to look for injected code or files that shouldn't be there. You could probably use software like WinMerge if you're on MS locally.

@Paul,

This is because they're looking into it. The code of conduct for WordPress is that hacks and security breaches are to be reported to [email protected], as per this FAQ. Until it is a) confirmed that it is a WordPress security breach and not just a lack of security on the host, and b) a fix is found they prefer not to advertise it and basically invite all the script kiddiez in the realm to try their hand at it.

http://twitter.com/andrewstrader Andrew Strader

Do you think it could caused by a backdoor in a plugin? I know we all download and install tons of plugins, but how often does anyone review the source code for one of them to see if there are any security issues with it?

http://twitter.com/andrewstrader Andrew Strader

Do you think it could caused by a backdoor in a plugin? I know we all download and install tons of plugins, but how often does anyone review the source code for one of them to see if there are any security issues with it?

http://www.njnnetwork.com/ Stephen Pate

It would be nice if you dated your posts so we can tell if you are talking about now or history

I had my site hacked and a backdoor placed in wp-content/themes/default/xmlrp.phpEveryone should do a grep for base64 encoded content in php files. That's what I found.

Rafael

I had my site hacked and a backdoor placed in wp-content/themes/default/xmlrp.phpEveryone should do a grep for base64 encoded content in php files. That's what I found.

http://twitter.com/MillerMosaicLLC Yael K. Miller

My options table is named csp891_options

http://twitter.com/MillerMosaicLLC Yael K. Miller

My options table is named wp_options

http://webandyou.avelient.com Mariano

I've read the fix to be related to permissions on the wp-config.php file. Generally most hosts don't install this with a high level of protection. Set your file permission to 640 (owner: rw, group: r, everyone:nill), then change your database password, and then clean out the malicious code. See if that helps.

JD

several people I have point this site to have said linking to it attempts to install maleware on thier computer – FYI

I didn't have this hack according to your identification method with the bizarre RSS% entry.

I'm on a dedicated server, which is hardened by LiquidWeb before commissioning, and on which I had already changed the db prefix from default, already had “Login Lockdown” plugin installed and passed all of the “WP Security Scan” checks.

I did install “Secure WordPress” though, regardless.

I have no idea if I'm immune or just lucky, and sorry to hear about the troubles you had.

http://webandyou.avelient.com Mariano

I've read the fix to be related to permissions on the wp-config.php file. Generally most hosts don't install this with a high level of protection. Set your file permission to 640 (owner: rw, group: r, everyone:nill), then change your database password, and then clean out the malicious code. See if that helps.

JD

several people I have point this site to have said linking to it attempts to install maleware on thier computer – FYI

http://www.ChristopherSPenn.com Christopher S. Penn

Yes, part of the hack. Hopefully, I've finally nailed the sucker.

http://www.ChristopherSPenn.com Christopher S. Penn

Good suggestion, i'll throw that in.

http://carlislegrp.com/blog CarlisleGroup

Hi Chris,

I've had a hack on one of my wife's blogs for a couple of months, since v2.7 I think. It's almost a daily battle. It started with a user access that left a comment. It's been locked down, but still keeps getting compromised. I've gone into the MySQL with both PHPAdmin, HeidiSQL and other tools to sniff out the problem. I've read somewhere that there is a way to mask an entry so that PHPAdmin doesn't “see” it. Something about creating a table that doesn't show up in the SQL tools.

So, I've moved all of my, and my client's blogs, websites, everything, off WordPress. I first got that idea from Robert Scoble. It was a painful decision that took a couple of weeks to make (while I cleaned websites daily), and more weeks to accomplish. Here's the link http://scobleizer.com/2009/09/05/i-dont-feel-sa…. Also, in his comments, someone pointed out the PHPAdmin vulnerability.

I'm not being an alarmist, I just feel like I would rather spend my time on more productive things than battling it out with a server somewhere half-way-around-the-globe that is trying to infect my website.

gravity

I didn't have this hack according to your identification method with the bizarre RSS% entry.

I'm on a dedicated server, which is hardened by LiquidWeb before commissioning, and on which I had already changed the db prefix from default, already had “Login Lockdown” plugin installed and passed all of the “WP Security Scan” checks.

I did install “Secure WordPress” though, regardless.

I have no idea if I'm immune or just lucky, and sorry to hear about the troubles you had.

http://kikolani.com/ Kristi Hines

The last time there was a major WP hack, I found the backdoor into my site was a php file in all of my images folders (between the plugins, themes, and uploads, there were a lot). So until I deleted those, it kept re-inserting the code every chance it got.

Corey

I had the exact same problem, with the same injected rss_ field in my wp_options table. After digging around forever, changing passwords, updating wordpress, changing database permissions and splitting out database users, deleting spam comments, disabling various wp-include files, etc. it ended up being the WP-Super Cache plugin. I deleted the plugin directory (after being prompted that I didn't have permissions to do so), and deleted that injected rss record, and it hasn't come back in 17 hours.

http://kikolani.com/ Kristi Hines

The last time there was a major WP hack, I found the backdoor into my site was a php file in all of my images folders (between the plugins, themes, and uploads, there were a lot). So until I deleted those, it kept re-inserting the code every chance it got.

Great tip, but how can I search specifically for base64 encoded content?

http://reface.me/ dwergs

Great tip, but how can I search specifically for base64 encoded content?

http://sucuri.net David

One thing that you didn't mention was changing the secret keys. If the attackers were able to login at that time, they might still have access via the old cookies. So change the keys asap. This link explains:

One thing that you didn't mention was changing the secret keys. If the attackers were able to login at that time, they might still have access via the old cookies. So change the keys asap. This link explains:

So what that does is, when viewed with google bot, it removes the drug names from the posts but leaves numbers all over the site… like 50303 between text, at the top of the page, all over the place… and some or all body text is strike or line-through; in css…. So it seems removing that only removes part of it…. because within minutes – the drug names are back in and the numbers all over are gone and it starts over.

I've changed the security keys in wp-config… I've chmodded everything to properI've removed both wp-admin and wp-includes directory, and uploaded fresh from source

My next move for them is to install a fresh version of WP, take that csp891_options table and completely wipe the one they're using now and use the new one. Reinstall the plugins and reset up the settings… In theory that should work.

They have so much old plugin data in the sql file I can hardly get through it all… Hopefully that works.

http://chuckreynolds.us Chuck Reynolds

2nd post…. actually found more crap in the database

search options table for these:

csp891_check_hashclass_generic_supportrss_%widget_generic_support

They all have a TON of encoded crap in them and are not native to WP… the last one widget_generic_support didn't have any data in it but isn't supposed to be there

So what that does is, when viewed with google bot, it removes the drug names from the posts but leaves numbers all over the site… like 50303 between text, at the top of the page, all over the place… and some or all body text is strike or line-through; in css…. So it seems removing that only removes part of it…. because within minutes – the drug names are back in and the numbers all over are gone and it starts over.

I've changed the security keys in wp-config… I've chmodded everything to properI've removed both wp-admin and wp-includes directory, and uploaded fresh from source

My next move for them is to install a fresh version of WP, take that wp_options table and completely wipe the one they're using now and use the new one. Reinstall the plugins and reset up the settings… In theory that should work.

They have so much old plugin data in the sql file I can hardly get through it all… Hopefully that works.

http://www.coloneltiki.com Craig Hermann

Chuck, I’m having the same issue – I cannot find what must be the last bad file/insert, security keys changed, chmodded everything, removed bad wp_options, &c.

I still have the random text (1a 6b 347 …) spread throughout the version of my pages pulled by SE bots…

did you find anything else?

http://chuckreynolds.us Chuck Reynolds

2nd post…. actually found more crap in the database

search options table for these:

wp_check_hashclass_generic_supportrss_%widget_generic_support

They all have a TON of encoded crap in them and are not native to WP… the last one widget_generic_support didn't have any data in it but isn't supposed to be there

so the entry in options table is not coming back but the strike text and random numbers all over the visible area is still happening while viewing as google bot.

No time to look at it cause i'm traveling but they got somebody else helping out – hopefully he can figure out the rest of it. IF so I'll post it here

http://chuckreynolds.us Chuck Reynolds

so the entry in options table is not coming back but the strike text and random numbers all over the visible area is still happening while viewing as google bot.

No time to look at it cause i'm traveling but they got somebody else helping out – hopefully he can figure out the rest of it. IF so I'll post it here

http://www.animepalm.com/ Anime

Holy crap.. I haven't had this happen to me, but after reading all the crap you went through, I hope it never does. Man…. I'm guessing since you're blog is still up, you got it sorted, so grats, but damn, I feel really sorry for you.

http://www.animepalm.com/ Anime

Holy crap.. I haven't had this happen to me, but after reading all the crap you went through, I hope it never does. Man…. I'm guessing since you're blog is still up, you got it sorted, so grats, but damn, I feel really sorry for you.

Ok, I had this issue too and it kept coming back. Every time I went into Google Webmaster Tools and did a “Fetch As Google Bot” it came up with the stupid hacked stuff still there.

Finally, I did this:

SELECT * FROM `csp891_options` WHERE option_value LIKE '%pharm%'

I found another entry with a lot of other cache junk. When I deleted it, immediately it was removed from google webmaster tools “fetch as google bot”. Now, it's only been a few minutes so I'll come back tomorrow and let you know if it's gone for good. Gosh I hope this is it. This has been a nightmare!

Cory

Ok, I had this issue too and it kept coming back. Every time I went into Google Webmaster Tools and did a “Fetch As Google Bot” it came up with the stupid hacked stuff still there.

Finally, I did this:

SELECT * FROM `wp_options` WHERE option_value LIKE '%pharm%'

I found another entry with a lot of other cache junk. When I deleted it, immediately it was removed from google webmaster tools “fetch as google bot”. Now, it's only been a few minutes so I'll come back tomorrow and let you know if it's gone for good. Gosh I hope this is it. This has been a nightmare!

http://s4xton.com/ Aaron Landry

Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

http://s4xton.com/ Aaron Landry

Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.

http://s4xton.com/ Aaron Landry

Just wanted to say thanks. Same thing happened to me and it took a bit of googling to find the right solution. You lead me down the right path and I think I'm fixed up now. Cheers.